Analysis
-
max time kernel
30s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
05-01-2024 11:26
General
-
Target
438fd1b4851a7e5f197213bc395b959b.exe
-
Size
672KB
-
MD5
438fd1b4851a7e5f197213bc395b959b
-
SHA1
a7bf66d2a7b448cc17e9417b9dadb1ac939207d8
-
SHA256
e3e8000633c5f872efa0cd4655259990d051576699067b8e481bcf8181976685
-
SHA512
b65de990561d7e9c400dc016fb3395341854322ff1dd68e0187161f7ea8236002f62c9d749bbcd7aaee811f4c30f4186f21496d70d01fded4b844e43e8e46974
-
SSDEEP
12288:xeBNUbTVO86UCHruRdp+WA00SKCpVRwfsXSVUhbxk9e/pJu:xJIUCNd0nKwYkX+UhbW9eM
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 40 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 3 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\438fd1b4851a7e5f197213bc395b959b.exe"C:\Users\Admin\AppData\Local\Temp\438fd1b4851a7e5f197213bc395b959b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD59376c99a450419f6fe21222fa643de02
SHA1de04f0abeab3a4fc832f7a42a2f0c559d4c514f6
SHA256b709eadb1d3dba1845bc81410c2a63f2e0421f5cff4888285a8544d558f358de
SHA5121a9728a5cc8e31af0a00263ad56eed27e8a3ba1fb27b5e613f7a084b3a6b16055e6d397cd42efd5124ffdf4e92a82ad83caeb7bb3abdf825fb93d7fc8c0e0ee6
-
Filesize
28KB
MD5da33892ac6cd8f2991e11d01dc40700b
SHA1196160de170c3ba1991457f8e2921c6c529f4f89
SHA2569d12a19e604f0782245eb21351a332b4e6b71a31d6714e807b914b8b0f181ed1
SHA512cb014c7a46095b9228bc1d034b5f2b36852efa0d9ecbe3a1cd8b7a32e21d747a149f4b5891161e28178b934f842c56a812869524e1fa7c61b788d219e0dbca0d
-
Filesize
55KB
MD50ea9388406b78296b6dafbc5a3d9c583
SHA12b3b556c75274911b892e56e188d53fd01aa1cd2
SHA25611b81d2ab8de1b5ea476d3efe8fc27eea48024472f8f50821dd9104584ebfe8a
SHA5122146e0a21ee6b2fb243e4ea82b8628accd99e5efbc84446d80b0b30f7b3131d3f7fb0d2c59977842d78aab38dd73df7312cf77d50c120b316540e936cfde46ee
-
Filesize
77KB
MD59cf5886cdf77958783f915e0c34a2d61
SHA1e49b8fe3757d02ba784b3bfee958132065865826
SHA2561b8b8b5ad2fbb461ddc8c9c7dbdbad8aeaa0ce45e38ddd92c2ce11edea98b478
SHA51234372a017a0a370a733bbb071d767b64a6fd6e387021daa01d5ce56ae89210c05973b6299db0870e1a41c7b973eb5b1b7d44ef5a9a6372a60bb8b4cfb79e0641
-
Filesize
4KB
MD5bb64b229805fc23c928062e43d505e46
SHA116a7ba66e2cc519e395c8f4b4a950f99fdf36e25
SHA256c9d213c4fb5d9306c795103cefdb14aee64dfae856634bff14f86d8ab9529363
SHA5120a5f69a3dbfca5dfa52f6d930dbd927454ee846096cc1eab0a95daace91147f9b8512be73211cdda6c4d6c82eac435efcc250d00ce76f5427a2d7b7d1d16ea16
-
Filesize
10KB
MD59c268686a7d7747d2d7151f2e8ba86dc
SHA1eb3c5ef25a82ebd1c401b69fada9f64a81c828cd
SHA25657435342c39f94ea4be8f7a8858ec2452cec38d07e25377d960835466e701404
SHA512125e38a90654e9d7bbd49a2eaee57008bda72a3736a3bb6df737e72bc357fb6b2efc2a1ef511f384f36b5cdc2ee56a64bdc40ee8a7bbcda4b3ea6defb1a15e46
-
Filesize
13KB
MD572739a671b38a1415a34b01e889eef8c
SHA1659c882d6bc07ba7cfc17032aa45f6c844899fbb
SHA256beec318a72725fb0368314323edd9ee5aee5ec1c5e1b05007ba256f6d9e56130
SHA512cbe27b35b2ba74adbe9bff4623699fda9ddba81eb2a6d5b6b02118b3753b9fb77668d994d4a49c2808aa717b39da0ef2b8259917dfd5cf2370794f5dbcf8fb67
-
Filesize
7KB
MD5b2028140fa4cbf503d66fbe10bd76f26
SHA13e503eaec4a668d203beebe2aca8459254b076a1
SHA256d21c39e50f3b7fdc0b8e8ffb25d60355bddd327480a3a156850de5adcb94b0d0
SHA51285a2f2cbf51542a858ec83166c2263fa8852d347f69df8ebc40255e5dfde37df4437838092365057738303da88e1de5494b81754524f47f0d8ec7b485b7b0e47
-
Filesize
4KB
MD508db019c719be1a09c3940e1b24b7a34
SHA18e509ecafc07bf300e291113efeca2bf3005e283
SHA256c57ad919a40c737865ea30c3eb40f354768b4297ff85af72b90ba19451ec3fdb
SHA512c2dfff59ef2616bcc2df43d2dc0220851593458382769ff1e15387e17adc71324ed8883d5f5bbd0a924056eb42ee48ce0d2347bac6b47d70bbbc3284fa79ce38
-
Filesize
49KB
MD5d3b3a92c24e3116aa0d80c17cdecc751
SHA19f707a103bd75ca70c6f508e291bcf95bc98a926
SHA2562a605ad87f8eddef033d715a88bcbe1c71bfec73afaba0b0093255bdc5dc9725
SHA5128a0076681ab4b67da541fd5b4c6971ac97c5df723e3c272b5e7d7f30f06c9989ae1d156ff77e9fa916664e745656a184d78c47058a1f9fdd763b6a4809f5984d
-
Filesize
7KB
MD5cfa3db2392727e17e3ce1949265f8b75
SHA1ecefd4045a51a9b74c0d41b553dd9501df57edb0
SHA2568630e5f3b6027c60bdae79da13cc99ef01509bb629f3e4c80abcf238bcd4c0da
SHA5129f015eb5f3f461f58e5638006f980a17bf7179b81f587bc66d19bae7901b3db4b8943a2828ad64e7b3d285fc2d37c7e77c08c6aef8e1108e89989381bcf48904
-
Filesize
25KB
MD5f0416064e3b9acf1395bc055a3b35ebe
SHA1b12e729e5f2e2e78f544c9f33be14baf11c6cf61
SHA256b36328d83ea812fa0ff4f22396ab1d00c12d0c2be2e2c68a6b493637e05e61cf
SHA5125776a9bb97054c2e9335c789ba08b58d9fb6d2fd0c6c829ea24f007a1664824cb00877cbc389ef117560bca2cf83f8c3d9ce1db7eeafa29755f4c785067b353c
-
Filesize
21KB
MD5e04f3a812190a0c97f17b919a3d6c893
SHA10bdd522db31aa7cf71059b1f7935b5cc23fceae7
SHA256b16457edc824db0ccf4a8e92dc6690912b9a5ccafbc8beeb4a05f413238343ae
SHA512901c2b204424a4eb43f99164abcb0681e31038e0b370cef60b13eb1eb1117d3b803a2d2fb87567c48b0adb01e9ad059cf608a9d16ca52335755c89c3d4bef7c6
-
Filesize
37KB
MD5b1722f734c673eae83fd85da62cd1bb4
SHA1667223a4965434476ffa77f3853bba5bef6c44cd
SHA256aec15efc14a733ef94db18dae1de008a2e857f29b8c340aa79db90f86be14519
SHA512b4f3ab57145168b716290498a8158dbc67f28ced324e45d0f52540c937a3e2e59d0d30868b055bff0468e186d81bdbcc7f23eb4f0d6aa40fd77d478d234d5eb4
-
Filesize
20KB
MD5dd8ff47391db6972be6a572a46736fbd
SHA10023b1da3ebf63ab486ab614c668a52b4ebe06cb
SHA256858919b8712d9959e3cde615ff6093e830aa052e8d538c24c3da562b354aa5c6
SHA5129370b85a3e3cf047c1718d2a5eed2a9a1e4bcb104daf57f93ea8015b6bad0bbfa77bd071562073ac37ca7a22835b2548e31823c58a7ee78228a18c24e6a6d08f
-
Filesize
839KB
MD5c46061fd868c37fa817f904947d29dc4
SHA1a901008a6ddf678091b22107744b361118bf9d37
SHA256c06e0f8d918ade40598444dc129fa8e1102417559570f9abbab1bd1b4d360ea4
SHA51293b4b5fe3620c6776c7b0e3c12a5a6b258977ec7333d84f78837f952ec5f5ae15506d5c65e1cc5f8e1c4754d42c5d23e63766483899e7f7ae587e32f6b41db9b
-
Filesize
21KB
MD5ebad25d4b573e06b968923cc86997581
SHA1d36be5b849b01dd3619ff16a2ab6c2b749b9d549
SHA256a3b31246ac37fce753066f5fe03739eac0407648ffe36dbc3f1d9ed949f1ee6e
SHA512d9b401e5f3a62cb596edffe7366c9cf525abd037aaa9d13416bf41b47c0ada88fdf7aca3584dffc75ab4e72a85fb6ce86c59057a311d6ba540c2a758d48569a5
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
844KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
840KB
-
Filesize
840KB